unknown RPC opcodes during join+logon

Vijay Kota vijay at spinnakernet.com
Fri Sep 20 00:44:38 GMT 2002

But if there is no servicePrincipalName attribute, TGS_REQ for
"cifs/foobar at WINDOWS2000.SPINNAKERNET.COM" fails. So my clients are
not able to get the appropriate Kerberos ticket. (KDC returns

Have I done something incorrectly? Here's my setup:

ldapsearch -Y gssapi -X u:administrator samaccountname=foobar$ \
	altsecurityidentities serviceprincipalname


dn: CN=FOOBAR,CN=Computers,DC=windows2000,DC=spinnakernet,DC=com
altSecurityIdentities: Kerberos:


-----Original Message-----
From: samba-technical-admin at lists.samba.org
[mailto:samba-technical-admin at lists.samba.org] On Behalf Of Luke Howard
Sent: Thursday, September 19, 2002 4:02 PM
To: vijay at spinnakernet.com
Cc: samba-technical at lists.samba.org
Subject: RE: unknown RPC opcodes during join+logon

>But here are the results I got with changes to Samba:
>	Odd name: <credential><4-byte flags = 0x0007ffff>: Access Denied
>	Even name: <credential>,0x6B,0,<flags=0x0007ffff>: Access Denied
>	Odd name: <credential><flags = 0x000001ff>:
>		Success but "servicePrincipalName" attribute in Active
>		Directory disappears
>	Even name: <credential>,0x6B,0,<flags=0x000001ff>:
>		Success but "servicePrincipalName" attribute in Active
>		Directory disappears

I'm ont sure about the 0x6B but I would think that servicePrincipalName 
disappearing would have something to do with Active Directory presuming
that downlevel clients (which negotiate 0x1ff) do not support Kerberos,
and thus do not have a servicePrincipalName. You might try using the
altSecurityIdentities attribute instead, eg:

altSecurityIdentities: Kerberos:cifs/foobar.windows2000.spinnakernet.com

-- Luke

Luke Howard | PADL Software Pty Ltd | www.padl.com

More information about the samba-technical mailing list